Cart
|
[XSL-LIST Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] RE: The evaluate function
 > Apart from all the issues mentioned by Mr.Kay, an eval()
> function makes it rather easy to open security holes in
> a style sheet.
> For example, once you figured out you can put a XPath into
> the nice "Enter your query here" field which is passed
> directly to an eval() function, what will stop you from
> entering
> document("file:///C/Documents and
> Settings/Administrator/preferences.xml")?
> :-)
> Or, if extension functions may be called indiscriminately:
> mswin:delete("C:\*.*","recursive")
>
I don't think you should rely on static analysis to stop stylesheets
performing mischief.
The latest Saxon releases have a switch allowing extension functions to be
disabled, so you can run untrusted stylesheets safely in a servlet
environment. It's then up to the web server to control what URLs are
accessible.
Mike Kay
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
